While framing a law for personal data protection, India had sought a middle path between the industry-friendly laissez faire approach of the US and the scrupulously strict, citizen-centric European General Data Protection Regulation. The former had enabled the explosive growth of the Silicon Valley giants. The latter seeks to protect citizens from unhealthy effects of the explosion. The privacy Bill, drafted by Justice BN Srikrishna in 2018, did balance the interests of industry and individuals, but the version which was cleared by the cabinet in December had been reworked by the information technology ministry to foreground another stakeholder: The government. At the same time, the burden on industry imposed by data localisation requirements had been reduced, at the cost of public safety. Justice Srikrishna anticipates that the system update would pave the way to an “Orwellian state”.
The government has arrogated to itself the right to define the nature of critical private data and the constitution of the proposed Data Protection Authority. In the original draft, the body was at arm’s length from the government, with members appointed by an independent committee. The revised bill transfers this power to government officials, allowing the government of the day to acquire control of the institution. The power to define sensitive and non-sensitive personal data, which is at the core of the privacy law, will also vest with the government. Coupled with the right to call in all non-critical personal data held by any entity, this could legally and democratically enable pervasive state surveillance, which is a feature of authoritarian governments.
While increasing the government’s grip over the privacy law apparatus and allowing it to get under the hood, the revised draft has also diluted provisions requiring foreign fiduciaries from locating and processing data within the territory of India. Data localisation was deemed necessary due to the slow and outdated processes of the Mutual Legal Assistance Treaty, which Indian authorities must follow to secure information from American entities for the purpose of law enforcement. Whether localisation would provide faster access to the data of entities incorporated overseas remains a matter of debate, since the legal process would remain offshore. However, the concerns about a shift in the balance of power raised by Justice Srikrishna are beyond question. Data laws are not made for an ideal world run by high-minded governments. They are written to protect the individual from both Big Digital and Big Brother.